Skip to main content

Spacelabs Sentinel EUVDEUVD-2026-33974

| CVE-2026-0611 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-02 VulnCheck GHSA-344f-p6q5-rw6q
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 02, 2026 - 17:30 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
9.8 (CRITICAL) 9.2 (CRITICAL)

DescriptionCVE.org

Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel exposed on port 8989 that allows attackers to perform arbitrary file read and write operations by supplying valid .NET URI endpoints. Attackers can write ASPX webshells to the IIS wwwroot directory to achieve unauthenticated remote code execution on the system. Port 8989 is not exposed in a default Sentinel installation; exploitation requires that the .NET Remoting port has been explicitly made network-accessible through deliberate configuration or network policy changes.

AnalysisAI

Unauthenticated remote code execution in Spacelabs Healthcare Sentinel (versions 10.5.x and 11.x prior to 11.6.0) allows network attackers to drop ASPX webshells into the IIS wwwroot via a legacy .NET Remoting HTTP channel on TCP/8989. The flaw stems from missing authentication (CWE-306) on a deprecated Microsoft remoting endpoint, and while a vendor patch is available, no public exploit identified at time of analysis. Exploitation requires that port 8989 has been deliberately exposed to the network, since it is not reachable in default Sentinel deployments.

Technical ContextAI

Sentinel is Spacelabs Healthcare's diagnostic cardiology connectivity platform, used in clinical environments to manage Holter and ambulatory ECG data. The vulnerable component is a .NET Remoting HTTP channel - a legacy Microsoft inter-process communication framework that Microsoft itself deprecated and warned against exposing to untrusted networks because it lacks built-in authentication and deserializes attacker-controlled object graphs. The CWE-306 (Missing Authentication for Critical Function) classification is precise here: the remoting endpoint on port 8989 accepts arbitrary .NET URI endpoint requests without identity verification, and the implementation exposes file read and write primitives that can be aimed at the IIS web root co-hosted on the same machine. Writing an .aspx file into wwwroot causes ASP.NET to compile and execute it on the next HTTP request, converting an arbitrary-file-write primitive into full RCE under the IIS application pool identity.

RemediationAI

Vendor-released patch: upgrade Sentinel to version 11.6.0 or later per Spacelabs Security Advisory 079-0273-00 RevA (https://spacelabshealthcare.com/wp-content/uploads/2026/06/079-0273-00-RevA-Security-Advisory-Sentinel-.NET-Remoting-Vulnerability.pdf); the 10.5.x and earlier 11.x branches do not appear to receive a backported fix, so upgrade is the only sanctioned remediation. If immediate patching is not possible, block TCP/8989 at the host firewall and any upstream network ACL - because port 8989 is not used in default Sentinel installations, blocking it should have no impact on standard clinical workflow, though sites that previously exposed it for a custom .NET Remoting integration will lose that integration and must validate with the integration owner before blocking. Additionally, segment the Sentinel server into a restricted clinical VLAN with allowlisted source IPs for management traffic, and audit IIS wwwroot for unexpected .aspx files as a compromise check before and after remediation. Consult VulnCheck's advisory at https://www.vulncheck.com/advisories/spacelabs-healthcare-sentinel-x-unauthenticated-rce-via-net-remoting for additional detection guidance.

Share

EUVD-2026-33974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy